How GXP Share supports each Part 11 requirement
21 CFR Part 11 defines when electronic records and signatures can be considered equivalent to paper records in FDA-regulated environments. GXP Share includes audit trails, electronic signatures, role-based access controls, and controlled exports as standard capabilities, so customers can implement compliant processes without relying on uncontrolled spreadsheets or manual workarounds.
Validation
GXP Share is delivered with controlled releases and product documentation so customers can validate the platform against their own intended use. Customer-side validation remains a customer responsibility.
Legible copies
Records can be exported as PDF for human review or as CSV and JSON for downstream systems. Audit logs export the same way.
Record protection
Data is encrypted in transit and at rest. Originals are never overwritten. Corrections create a new version alongside the previous one, preserving the full history.
Access controls
Permissions are scoped per organization and per engagement. Roles cover administration, data entry, verification, correction, template authoring, analytics, and read-only access. Sign-in supports password and SSO via Microsoft Entra ID.
Audit trails
Every action that changes a record is logged with the user, a tamper-proof timestamp, and a stated reason. The audit log is built so that any modification, deletion, or insertion of a past entry is detectable on review.
Workflow controls
Workflow steps run in a fixed order. A record cannot be verified before submission, corrected before it is finalised, or approved twice. Once a version is superseded, it becomes read-only.
Action-level permissions
Permissions are checked on every action, not only at sign-in. For signing actions, the system also requires a separate one-time confirmation tied to the user, the action, and the specific record.
Electronic signatures
Signing always requires the user to re-authenticate at the moment of signing. Each signature is recorded with the signer's name, the timestamp, and what the signature means (for example First Entry, Verification, or Peer Review Approval).
Signature linking
Signatures are part of the record they sign. They cannot be detached, moved, or reassigned to a different record.
Two-step signing
Every signature requires two pieces of identification: the user's signed-in account plus a fresh password entry or recent SSO sign-in at the moment of signing.
Authentication
Sign-in uses password authentication and SSO via Microsoft Entra ID. Repeated failed signing attempts lock the account; both the lockout and the unlock are logged.
AI-assisted data extraction with human oversight
GXP Share uses AI-driven OCR to convert scanned batch records and certificates of analysis into machine-readable data. Workflows enforce strict human-in-the-loop oversight: every AI-generated extraction is verified by qualified personnel before it enters a GxP workflow. The approach is designed in line with the draft EU GMP Annex 22 (Artificial Intelligence).
Defined scope
The OCR model's intended use is narrow and documented: extract field values from scanned batch records into validated templates. It does not auto-approve, auto-submit, or make GxP decisions.
Training data quality
Models are trained on representative batch record formats. Training data provenance is tracked and training sets are versioned alongside model releases.
Performance monitoring
Extraction confidence scores are surfaced per field. Model accuracy metrics are monitored over time and reviewed as part of ongoing system oversight.
Human-in-the-loop required
Every AI-extracted value is presented for human review and confirmation before it enters a GxP workflow. The model suggests; the operator decides. No AI output bypasses human oversight.
Change control
Model updates follow a controlled process. New versions are validated against held-out test data before deployment, and the version that produced each extraction is logged.
Full audit trail
The model version, confidence score, extracted value, reviewer identity, and any corrections are all recorded, giving you a complete chain from scan to signed record.
Data integrity (ALCOA+)
ALCOA+ describes the core expectations for trustworthy GxP data: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available. GXP Share is designed to make these principles part of everyday data capture, review, approval, and retrieval.
Attributable
Every record is tied to an authenticated user.
Legible
Records are readable in the browser and in PDF export.
Contemporaneous
Timestamps are server-side and tamper-proof.
Original
Source records are never overwritten or deleted.
Accurate
Field validation and double-blind entry catch errors at entry.
Complete
Required fields are enforced before submission.
Have compliance questions?
Book a thirty-minute walkthrough to see how GXP Share supports regulated data capture, review, audit trails, and electronic signatures.
Book a demo